From 8617b093d0031837a7be9b32bc674580cfb5f6b5 Mon Sep 17 00:00:00 2001 From: Mohammed Shafi Shajakhan Date: Mon, 20 Feb 2012 10:05:31 +0530 Subject: mac80211: zero initialize count field in ieee80211_tx_rate rate control algorithms concludes the rate as invalid with rate[i].idx < -1 , while they do also check for rate[i].count is non-zero. it would be safer to zero initialize the 'count' field. recently we had a ath9k rate control crash where the ath9k rate control in ath_tx_status assumed to check only for rate[i].count being non-zero in one instance and ended up in using invalid rate index for 'connection monitoring NULL func frames' which eventually lead to the crash. thanks to Pavel Roskin for fixing it and finding the root cause. https://bugzilla.redhat.com/show_bug.cgi?id=768639 Cc: stable@vger.kernel.org Cc: Pavel Roskin Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville --- net/mac80211/rate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c index ad64f4d5271..f9b8e819ca6 100644 --- a/net/mac80211/rate.c +++ b/net/mac80211/rate.c @@ -344,7 +344,7 @@ void rate_control_get_rate(struct ieee80211_sub_if_data *sdata, for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) { info->control.rates[i].idx = -1; info->control.rates[i].flags = 0; - info->control.rates[i].count = 1; + info->control.rates[i].count = 0; } if (sdata->local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) -- cgit v1.2.3-70-g09d2 From 0dee00686da88cc32753e02e4e8efdd9e326e4d2 Mon Sep 17 00:00:00 2001 From: Mohammed Shafi Shajakhan Date: Mon, 20 Feb 2012 14:44:01 +0530 Subject: mac80211: Fix a warning on changing to monitor mode from STA nothing needs to be done for monitor/AP_VLAN mode on calling ieee80211_bss_info_change_notify -> drv_bss_info_changed with the change flag 'BSS_CHANGED_IDLE'. 'wl1271' seems to use BSS_CHANGED_IDLE only for STA and IBSS mode. further the non-idle state of the monitor mode is taken care by the 'count' variable which counts non-idle interfaces. ieee80211_idle_off(local, "in use") will be called. this fixes the following WARNING when we have initially STA mode (network manager running) and not associated, and change it to monitor mode with network manager disabled and bringing up the monitor mode. this changes the idle state from 'true' (STA unassociated) to 'false' (MONITOR mode) exposed by the commit 405385f8ce7a2ed8f82e216d88b5282142e1288b "mac80211: set bss_conf.idle when vif is connected" WARNING: net/mac80211/main.c:212 ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211]() Hardware name: 64756D6 Pid: 3835, comm: ifconfig Tainted: G O 3.3.0-rc3-wl #9 Call Trace: [] warn_slowpath_common+0x72/0xa0 [] ? ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] [] ? ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] [] warn_slowpath_null+0x22/0x30 [] ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] [] __ieee80211_recalc_idle+0x113/0x430 [mac80211] [] ieee80211_do_open+0x156/0x7e0 [mac80211] [] ? ieee80211_check_concurrent_iface+0x25/0x180 [mac80211] [] ? raw_notifier_call_chain+0x1f/0x30 [] ieee80211_open+0x40/0x80 [mac80211] [] __dev_open+0x96/0xe0 [] ? _raw_spin_unlock_bh+0x35/0x40 [] __dev_change_flags+0x109/0x170 [] dev_change_flags+0x23/0x60 [] devinet_ioctl+0x6a0/0x770 ieee80211 phy0: device no longer idle - in use Cc: Eliad Peller Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville --- net/mac80211/iface.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'net') diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 01a21c2f6ab..8e2137bd87e 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -1332,6 +1332,9 @@ u32 __ieee80211_recalc_idle(struct ieee80211_local *local) hw_roc = true; list_for_each_entry(sdata, &local->interfaces, list) { + if (sdata->vif.type == NL80211_IFTYPE_MONITOR || + sdata->vif.type == NL80211_IFTYPE_AP_VLAN) + continue; if (sdata->old_idle == sdata->vif.bss_conf.idle) continue; if (!ieee80211_sdata_running(sdata)) -- cgit v1.2.3-70-g09d2 From e899b1119f1428f2b04dd7e9dba94864c33dd30b Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Wed, 22 Feb 2012 16:14:32 +0100 Subject: netfilter: bridge: fix module autoload in compat case We expected 0 if module doesn't exist, which is no longer the case (42046e2e45c109ba703993c510401a11f716c8df, netfilter: x_tables: return -ENOENT for non-existant matches/targets). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/bridge/netfilter/ebtables.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'net') diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5864cc49136..8aa4ad0e06a 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1893,10 +1893,7 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, switch (compat_mwt) { case EBT_COMPAT_MATCH: - match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, - name, 0), "ebt_%s", name); - if (match == NULL) - return -ENOENT; + match = xt_request_find_match(NFPROTO_BRIDGE, name, 0); if (IS_ERR(match)) return PTR_ERR(match); @@ -1915,10 +1912,7 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, break; case EBT_COMPAT_WATCHER: /* fallthrough */ case EBT_COMPAT_TARGET: - wt = try_then_request_module(xt_find_target(NFPROTO_BRIDGE, - name, 0), "ebt_%s", name); - if (wt == NULL) - return -ENOENT; + wt = xt_request_find_target(NFPROTO_BRIDGE, name, 0); if (IS_ERR(wt)) return PTR_ERR(wt); off = xt_compat_target_offset(wt); -- cgit v1.2.3-70-g09d2 From 4c90d3b30334833450ccbb02f452d4972a3c3c3f Mon Sep 17 00:00:00 2001 From: Neal Cardwell Date: Sun, 26 Feb 2012 10:06:19 +0000 Subject: tcp: fix false reordering signal in tcp_shifted_skb When tcp_shifted_skb() shifts bytes from the skb that is currently pointed to by 'highest_sack' then the increment of TCP_SKB_CB(skb)->seq implicitly advances tcp_highest_sack_seq(). This implicit advancement, combined with the recent fix to pass the correct SACKed range into tcp_sacktag_one(), caused tcp_sacktag_one() to think that the newly SACKed range was before the tcp_highest_sack_seq(), leading to a call to tcp_update_reordering() with a degree of reordering matching the size of the newly SACKed range (typically just 1 packet, which is a NOP, but potentially larger). This commit fixes this by simply calling tcp_sacktag_one() before the TCP_SKB_CB(skb)->seq advancement that can advance our notion of the highest SACKed sequence. Correspondingly, we can simplify the code a little now that tcp_shifted_skb() should update the lost_cnt_hint in all cases where skb == tp->lost_skb_hint. Signed-off-by: Neal Cardwell Signed-off-by: David S. Miller --- net/ipv4/tcp_input.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'net') diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 53c8ce4046b..ee42d42b2f4 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -1403,8 +1403,16 @@ static int tcp_shifted_skb(struct sock *sk, struct sk_buff *skb, BUG_ON(!pcount); - /* Adjust hint for FACK. Non-FACK is handled in tcp_sacktag_one(). */ - if (tcp_is_fack(tp) && (skb == tp->lost_skb_hint)) + /* Adjust counters and hints for the newly sacked sequence + * range but discard the return value since prev is already + * marked. We must tag the range first because the seq + * advancement below implicitly advances + * tcp_highest_sack_seq() when skb is highest_sack. + */ + tcp_sacktag_one(sk, state, TCP_SKB_CB(skb)->sacked, + start_seq, end_seq, dup_sack, pcount); + + if (skb == tp->lost_skb_hint) tp->lost_cnt_hint += pcount; TCP_SKB_CB(prev)->end_seq += shifted; @@ -1430,12 +1438,6 @@ static int tcp_shifted_skb(struct sock *sk, struct sk_buff *skb, skb_shinfo(skb)->gso_type = 0; } - /* Adjust counters and hints for the newly sacked sequence range but - * discard the return value since prev is already marked. - */ - tcp_sacktag_one(sk, state, TCP_SKB_CB(skb)->sacked, - start_seq, end_seq, dup_sack, pcount); - /* Difference in this won't matter, both ACKed by the same cumul. ACK */ TCP_SKB_CB(prev)->sacked |= (TCP_SKB_CB(skb)->sacked & TCPCB_EVER_RETRANS); -- cgit v1.2.3-70-g09d2